4.23.2007

Why is it difficult for automatic web application security auit tool to detect vulnerabilities?Responses of each web application against attack requests are different, so, it is not useful to find error strings.

Sanshi has the module which detect vulnerabilities of SQL injection, path traversal, and so on.

Now, the codes which has these vulnerabilities, and no vulnerabilities.

Regardless of requests, the response of this application (list 2) is always output of 'printResult()' function.

So, you can see that the structure of the response of correct request is different from error request, if the application is vulnerable. Not only sentence, but also the structure of the html tags is different.

It is difficult for the tool to find any vulnerabilities from difference of sentences. Because difference of sentence is difference of the means. So, the tool need to understand what the sentence means. And it is very difficult for the tool.

But it is easy for the tool to find any vulnerabilities from difference of the structure of the html tags. Because it is the structural difference, and it is to find vulnerabilities that tool only compares structures of the html tags.